Hi
I have uploaded a log contains below type of events with time stamp;
After uploading into splunk, am getting the view which contains fields _time, source, host, sourcetype,punct and _raw.
Question1) The date in log shows Apr 28 2013 11.05 but in the splunk under _time field it shows as "4/28/2013 12:55:33".How to solve this issue?
Question2) I need to count no of _raw fileds which contains data and which is blanks using the time stamp.for example at the time of Apr 28 2013 11.05, count of _raw fields having some data and count of _raw fields does not having any data or blank.How to do this?
Sorry i am not able to attach the image or screen shot of splunk view with this query since am getting error.
Please share any mail id so that i can provide sample of splunk view to understand better if need.
Your events actually contain two timestamps.
One is the rather clumsy one in the beginning of the event, which I believe can be problematic for Splunk to understand without specific configuration from you.
The other is the epoch
timestamp further into the message. This is just a string of numbers denoting the number of seconds since midnight on Jan 1st 1970, e.g. <1367147130836>
in your event above.
Either of these can be used by you, but will require some configuration of the props.conf
file.
If you want to use the first timestamp, then your props would look something like this;
[your sourcetype]
TIME_PREFIX = ^<
TIME_FORMAT = %b %d,="" %Y="" %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 50
If you want to use the second timestamp, then your props would look something like this;
[your_sourcetype]
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 500
If you look closely, there is a difference (in time) between the two timestamps. In your example, the first timestamp stays the same, but the epoch
increases slightly.
More info to be found here;
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://strftime.net/
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hope this helps,
Kristian